diff --git a/lib/puppet_x/puppetlabs/firewall/utility.rb b/lib/puppet_x/puppetlabs/firewall/utility.rb index 56e03f727..e8a622d79 100644 --- a/lib/puppet_x/puppetlabs/firewall/utility.rb +++ b/lib/puppet_x/puppetlabs/firewall/utility.rb @@ -141,7 +141,7 @@ def self.host_to_mask(value, proto) # Translate the symbolic names for icmp packet types to integers def self.icmp_name_to_number(value_icmp, protocol) - if value_icmp.to_s.match?(%r{^\d+$}) + if value_icmp.to_s.match?(%r{^(\d+|\d+/\d+)$}) value_icmp.to_s elsif ['IPv4', 'iptables'].include?(protocol) # https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml diff --git a/spec/acceptance/rules_spec.rb b/spec/acceptance/rules_spec.rb index 1925fa18a..8c2e9d5ba 100644 --- a/spec/acceptance/rules_spec.rb +++ b/spec/acceptance/rules_spec.rb @@ -194,6 +194,12 @@ class { 'firewall': } icmp => 'time-exceeded', jump => 'ACCEPT', } + firewall { '014 icmp destination-unreachable/fragmentation-needed': + proto => 'icmp', + icmp => '3/4', + jump => 'ACCEPT', + } + firewall { '443 ssl on aliased interface': proto => 'tcp', dport => '443', @@ -260,6 +266,7 @@ class { 'firewall': } %r{-A INPUT -p (icmp|1) -m icmp --icmp-type 3 -m comment --comment "013 icmp destination-unreachable" -j ACCEPT}, %r{-A INPUT -s 10.0.0.0/(8|255\.0\.0\.0) -p (icmp|1) -m icmp --icmp-type 8 -m comment --comment "013 icmp echo-request" -j ACCEPT}, %r{-A INPUT -p (icmp|1) -m icmp --icmp-type 11 -m comment --comment "013 icmp time-exceeded" -j ACCEPT}, + %r{-A INPUT -p (icmp|1) -m icmp --icmp-type 3/4 -m comment --comment "014 icmp destination-unreachable/fragmentation-needed" -j ACCEPT}, %r{-A INPUT -p (tcp|6) -m tcp --dport 22 -m conntrack --ctstate NEW -m comment --comment "020 ssh" -j ACCEPT}, %r{-A INPUT -i eth0:3 -p (tcp|6) -m tcp --dport 443 -m conntrack --ctstate NEW -m comment --comment "443 ssl on aliased interface" -j ACCEPT}, %r{-A INPUT -m comment --comment "900 LOCAL_INPUT" -j LOCAL_INPUT},